This is a cool and easy to use (security) feature from Palo Alto Networks firewalls: The External Dynamic Lists which can be used with some (free) 3rd party IP lists to block malicious incoming IP connections. In my case, I am using at least one free IP list to deny any connection from these sources coming into my network/DMZ. I am showing the configuration of such lists on the Palo Alto as well as some stats about it.
What is an external dynamic list? It is a list of known malicious sources maintained by some providers/persons on the Internet. These IP lists can be used to blacklist/block/deny connections from those sources. A good overview of such lists is “Blocklists of Suspected Malicious IPs and URLs” from Lenny Zeltser. I am currently using the following well-known lists: “All Cybercrime IP Feeds” by FireHOL: http://iplists.firehol.org/.
This list is a combination of other sources that also include fullbogons and other entries. FireHOL shows many graphs and stats about the distribution from their listed IP addresses. Follow the link above and have a look!
What about IPv6? Well, it seems that only legacy IP is widely supported. Bad. FireHOL does not list any statement about that. I am not happy with this, but I also know that it is not easy to maintain IPv6 lists due to the large address space. (Should an IPv6 blacklist block a /128, /64 or even a /48 in case of abuse?) At least the Spamhaus Project has an IPv6 list, called DROPv6.
Some further notes:
- You should always check the quality of the list before using it. To my mind this mentioned list is quite “good”, however, note that it could be abused, too. Do some research about its trustworthiness before using it in your policies.
- The list is only an IP address list, that is, it is useful for blocking incoming connections. For outgoing (user-initiated) connections, you can use URL lists rather than IP lists. Lenny mentioned a few of them in his blog post. And the Palo Alto firewall is also able to use domain and even URL lists for security policies, etc.
Usage within Palo Alto
I am currently using a PA-200 with PAN-OS 7.1.7. (Official documentation here.) The blacklists are configured under Objects -> External Dynamic Lists. They are from type “IP List”. Those dynamic objects can then be used within a security policy. In my case, I have added two deny policies at the very beginning of my whole ruleset. Immediately after committing the traffic log shows denied connection from various IPv4 addresses:
At first, I was interested in whether the whole blacklists are used correctly by the firewall. There are some CLI commands to see/refresh the lists such as:
weberjoh@pa> request system external-list ?
> refresh refresh external-lists
> show Print IPs/Domains/URLs in an external list
> url-test test accessibility for url
I captured this screenshot from the FireHOL page that shows 17.299 entries on January 30th, 2017. In fact, exactly the same valid entries were listed in the Palo Alto dynamic list at the same time, as the following listing shows. (Note that there are not only /32 host IPv4 addresses but also bigger [bigly?] networks such as /20):
weberjoh@pa> request system external-list show type ip name dyn_firehol
Next update at : Mon Jan 30 21:00:21 2017
Source : https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
Referenced : Yes
Valid : Yes
Total invalid entries : 34
Of course, it looks quite the same with IPv6, here with the Spamhaus DROPv6 list:
weberjoh@pa> request system external-list show type ip name dyn_Spamhaus-DROPv6
Next update at : Wed Feb 15 05:13:38 2017
Source : https://www.spamhaus.org/drop/dropv6.txt
Referenced : Yes
Valid : Yes
Total valid entries : 19
Total invalid entries : 4
Now here is a custom report that shows all denied connections during the last calendar week, sorted by count (top 5), grouped by port. Many well-known ports such as SSH, telnet, SMTP, HTTP, NTP, SNMP, etc. are scanned from different IPv4 addresses all over the world:
I really like this feature, at least for my lab where not everything is business-critical. To my mind blocking some “false positives” is still better than allowing some malicious connections (false negatives).